/* HINT: Search archives @ http://www.indyramp.com/masq/ before posting!
/* ALSO: Don't quote this header. It makes you look lame :-) */
Subba Rao <[EMAIL PROTECTED]> wrote:
>
> The system has 2 interfaces. ETH0 is connected to the Internet (via
> cablemodem) and ETH1 is connected to my home LAN
> INTERNAL_NET="10.0.0.0/24"
>
> INTERNET=`ifconfig eth0 | grep inet | cut -d : -f 2 | cut -d \ -f 1`
>
> iptables -P INPUT DROP
> iptables -P OUTPUT ACCEPT
> iptables -P FORWARD ACCEPT
>
> # Allow some packets in but accept all those on the internal interface
> /usr/sbin/iptables -A INPUT -i lo -j ACCEPT
> /usr/sbin/iptables -A INPUT -i eth0 -j ACCEPT
> /usr/sbin/iptables -A INPUT -i eth1 -j ACCEPT
Because you allow packets in on all interfaces, none of your following
INPUT rules will be processed. Any packet coming in will appear on one
of these interfaces, right? They'll all be accepted.
Furthermore, since you didn't set up any FORWARD rules, then any packets
from the internet attempting to forward through your gateway will also
be accepted.
> iptables -t nat -A POSTROUTING -d $INTERNAL_NET -o $INTERNET -j ACCEPT
I don't understand this rule, because it specifies what should be
accepted, but there is no rule that would cause it to be denied anyway,
so it is unnecessary.
The rule is incorrect anyway; the "-o" option is supposed to choose the
name of an interface, such as "eth0". Instead, you give an IP address.
The rule will be accepted in case you ever create an interface called
"63.49.22.17" (for example), but you are very unlikely to do that, so
the rule will have no effect.
> iptables -t nat -A POSTROUTING -o $INTERNET -s $INTERNAL_NET -j MASQUERADE
This rule suffers from the same problem, using an IP address where an
interface name should appear.
> # Block inbound connections
>
> /usr/sbin/iptables -A INPUT -i eth0 -p tcp --syn -j DROP
This rule will never be seen, because an earlier INPUT rule specifies
that all packets on eth0 should be accepted.
> echo 1 > /proc/sys/net/ipv4/ip_forward
> echo 1 > /proc/sys/net/ipv4/tcp_syncookies
These look correct.
Now then, how to fix this?
You probably do not need the complex line INTERNET=`blah blah`. There
is actually not much reason to need to know your outgoing IP address,
because you can simply control your traffic using interface names
instead.
Your input rule that is attempting to match "syn" packets and deny them,
is going about things in the wrong way: Iptables is a stateful
inspection firewall, and so it knows the difference between packets that
are trying to start a connection, and packets that are trying to
continue a connection. You would do better to use the "-m state"
method, and specify "--state ESTABLISHED,RELATED" to specify that only
connections initiated by your Linux box should be allowed.
Here is a version of your script that I have rewritten. See what you
think:
#!/bin/sh
echo "Starting Firewall....."
INTERNAL_NET="10.0.0.0/24"
INTERNAL_IF="eth1"
EXTERNAL_IF="eth0"
# Flush the tables
iptables -F INPUT
iptables -F OUTPUT
iptables -F FORWARD
iptables -t nat -F
# Set default policies for packet entering this box
iptables -P INPUT DROP
iptables -P OUTPUT ACCEPT
iptables -P FORWARD DROP
# Allow some packets in but accept all those on the internal interface
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -i $INTERNAL_IF -j ACCEPT
# Only allow packets in if they were initiated here
iptables -A INPUT -i $EXTERNAL_IF -m state \
--state ESTABLISHED,RELATED -j ACCEPT
# Allow incoming forwards to continue only. Outgoing forwards always.
iptables -A FORWARD -i $INTERNAL_IF -o $EXTERNAL_IF -j ACCEPT
iptables -A FORWARD -i $EXTERNAL_IF -o $INTERNAL_IF -m state \
--state ESTABLISHED,RELATED -j ACCEPT
# Masquerade internal system with the public IP address
iptables -t nat -A POSTROUTING -o $EXTERNAL_IF \
-s $INTERNAL_NET -j MASQUERADE
echo 1 > /proc/sys/net/ipv4/ip_forward
echo 1 > /proc/sys/net/ipv4/tcp_syncookies
--
[EMAIL PROTECTED] (Fuzzy Fox) || "Good judgment comes from experience.
sometimes known as David DeSimone || Experience comes from bad judgment."
_______________________________________________
Masq maillist - [EMAIL PROTECTED]
Admin requests can be handled at http://www.indyramp.com/masq-list/ --
THIS INCLUDES UNSUBSCRIBING!
or email to [EMAIL PROTECTED]
PLEASE read the HOWTO and search the archives before posting.
You can start your search at http://www.indyramp.com/masq/
Please keep general linux/unix/pc/internet questions off the list.
